Re: Placement of a VPN Appliance

["Crist Clark" <crist.clark () globalstar com>]

Ben Nagy wrote:

[snip]

> > [0] Oh, and there is that complete abomination of UDP encapsulated
> > IPsec we'll probably have to let through.
>
> What makes you unhappy with IPSec-in-UDP? It seems like a cool hack, to me.
> Solves the NAT problem nicely. Yes, there's a performance hit, but that's
> the price you pay. I'd actually like to see an RFC / registered port for it,
> to tell the truth - just for interop purposes.

I don't like it because there is no real "NAT problem" (other than the fact
that NAT just plain breaks IPsec, but who lets a little issue like that get 
in the way of listing a new feature on a product). UDP encalsulation is a 
hack to support really, really, really lazy NAT vendors and users. The SA 
in an ESP header is just screaming out to be used by a NAT daemon as an 
identifier for mappings in the translation table. Using an SA for NAT is 
even better than UDP port numbers since it is "more unique." Plus, people 
have icky MTU problems with plain ol' IPsec, adding another encapsulation 
step will just make that worse.

But then again, I may be a zealot. I think we should all be going to 
IPv6 if we really want IP security. Doing all this on IPv4 is just a 
ackbasswards hack in the first place so and adding another enacapsulation
UDP at the transport layer is a (ackbassward hack)^2.

OK, that's enough ranting for today... I really don't know where that
came from. Time to go home.

Thanks for the reply. Helps reassure me that I have not missed something.
-- 
Crist J. Clark                                Network Security Engineer
crist.clark () globalstar com                    Globalstar, L.P.

_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://www.nfr.com/mailman/listinfo/firewall-wizards